본문 바로가기
WEB-SERVER/OHS & JBCS & Apache

[OHS] nodeManager - Admin Port 간 SSL 통신 비활성화 (Linux/Unix 환경)

도도메인 2025. 11. 3. 14:08
728x90

===

https://hyuunchul.tistory.com/m/402

===

 

테스트 버전 : OHS12.2.1.4

 

OHS12.2.1.4 버전의 default 데모 인증서 유효기간은 5년.

데모 인증서를 재발급 하는 방법 외에도 (https://hyuunchul.tistory.com/388)

nodeManager의 리스너를 secure가 아닌 plain 방식으로 사용하여

nodeManager - Admin Port 간 SSL 통신 자체를 비활성화 하는 방법을 택할 수도 있다.

 

 

#. nodemanager.properties 수정


SecuerListener 옵션 false로 변경

#Fri Apr 21 09:12:40 KST 2023
#Node manager properties
#Fri Apr 21 09:05:34 KST 2023
DomainsFile=/app/ohs/ohs_12214/domains/ehc_domain/nodemanager/nodemanager.domains
LogLimit=0
PropertiesVersion=12.2.1.4.0
AuthenticationEnabled=true
NodeManagerHome=/app/ohs/ohs_12214/domains/ehc_domain/nodemanager
JavaHome=/app/ohs/ohs_12214/oracle_common/jdk/jre
LogLevel=INFO
DomainsFileEnabled=true
ListenAddress=localhost
NativeVersionEnabled=true
ListenPort=5556
LogToStderr=true
weblogic.StartScriptName=startWebLogic.sh
SecureListener=false
LogCount=1
QuitEnabled=false
LogAppend=true
weblogic.StopScriptEnabled=false
StateCheckInterval=500
CrashRecoveryEnabled=false
weblogic.StartScriptEnabled=true
LogFile=/app/ohs/ohs_12214/domains/ehc_domain/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50

 

 

#. admin.conf 수정

 

1. SSLEngine 옵션을 off로 변경

2. SSL 인증서가 필요하지 않으므로 SSLWallet 옵션 주석 처리 (향후 혼동 방지 위함)

##
# This Oracle HTTP Server configuration file contains directives
# required for communication between Node Manager and Oracle HTTP
# Server.  The port number and local address can be customized,
# but other changes are not recommended and may result in an
# inability to manage the lifecycle of the Oracle HTTP Server
# instance.
#
# If the port number or local address need to be customized, ensure
# that both the Listen and the VirtualHost directives are updated.
#

LoadModule dms_module "${PRODUCT_HOME}/modules/mod_dms.so"
LoadModule ossl_module "${PRODUCT_HOME}/modules/mod_ossl.so"

#[Listen] OHS_PROXY_PORT
Listen 127.0.0.1:9998
#[VirtualHost] OHS_PROXY_VH
<VirtualHost 127.0.0.1:9998>
  <IfModule ossl_module>
  #  SSL Engine Switch:
  #  Enable/Disable SSL for this virtual host.
  SSLEngine off

  ServerName localhost

  # Client Authentication (Type):
  # Client certificate verification type and depth.  Types are
  # none, optional and require.
  SSLVerifyClient None

  #  SSL Protocol Support:
  #  Configure usable SSL/TLS protocol versions.
  SSLProtocol TLSv1.2

  # Option to prefer the server's cipher preference order
  SSLHonorCipherOrder on

  #  SSL Cipher Suite:
  #  List the ciphers that the client is permitted to negotiate.
  SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA

  #Path to the wallet
  #SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default"

  <Location /dms/>
    SetHandler dms-handler
    Require all granted
  </Location>

  CustomLog "||${PRODUCT_HOME}/bin/odl_rotatelogs ${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/admin_log 43200" common
  </IfModule>
</VirtualHost>

 

 

#. nodeManager 기동

Plain socket listener started 로그 확인

<INFO> <Plain socket listener started on port 5556, host localhost/127.0.0.1>

 

 

#. OHS Component 기동 스크립트 수정

기존의 startComponent.sh 스크립트는 nodeManager 접속 방식이 SSL으로 고정되어 있음.

따라서 해당 스크립트는 사용 불가.

커스텀 기동 스크립트 별도 생성 필요.

 

startComponent_plain.sh

nmConnect 명령어 맨 뒤에 plain 옵션을 주어 nodeManager에 plain 방식으로 커넥션 시도

#!/bin/bash

COMPONENT_NAME="comp1"
DOMAIN_HOME="/app/ohs/ohs12214/domains/ehc_domain"
NM_HOST="localhost"
NM_PORT="5556"
NM_USER="admin"
NM_PASS="admin1234"

cat <<EOF > /tmp/startComponent_plain.py
nmConnect('${NM_USER}', '${NM_PASS}', '${NM_HOST}', '${NM_PORT}', 'ehc_domain', '${DOMAIN_HOME}', 'plain')
nmStart('${COMPONENT_NAME}', serverType='OHS')
exit()
EOF

/app/ohs/ohs_12214/oracle_common/common/bin/wlst.sh /tmp/startComponent_plain.py

 

stopComponent_plain.sh

마찬가지로 nmConnect 명령어 맨 뒤에 plain 옵션을 주어 nodeManager에 plain 방식으로 커넥션 시도

#!/bin/bash

COMPONENT_NAME="comp1"
DOMAIN_HOME="/app/ohs/ohs_12214/domains/ehc_domain"
NM_HOST="localhost"
NM_PORT="5556"
NM_USER="admin"
NM_PASS="admin1234"

cat <<EOF > /tmp/startComponent_plain.py
nmConnect('${NM_USER}', '${NM_PASS}', '${NM_HOST}', '${NM_PORT}', 'ehc_domain', '${DOMAIN_HOME}', 'plain')
nmKill('${COMPONENT_NAME}', serverType='OHS')
exit()
EOF

/app/ohs/ohs_12214/oracle_common/common/bin/wlst.sh /tmp/startComponent_plain.py

 

 

#. OHS 인스턴스 정상 기동 확인

기동 로그 전체

[midadm@keuangkuo-linux ehc_domain]$ ./startComponent_plain.sh

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to Node Manager ...
Successfully Connected to Node Manager.
Starting server comp1 ...
Jun 10, 2025 5:22:05 PM oracle.ohs.plugin.nodemanager.OhsProcessManagementPlugin$ProcessImpl start
INFO: Starting server comp1
Jun 10, 2025 5:22:05 PM oracle.ohs.plugin.nodemanager.OhsProcessHandler start
WARNING: SSL is not enabled for the admin port of comp1. Thus, the connection between NodeManager and the admin port of comp1 is not secure. SSL must be enabled for this connection. For more information on how to enable SSL for this connection, refer to OHS documentation
Jun 10, 2025 5:22:05 PM oracle.ohs.plugin.nodemanager.OhsRunCommand execute

.....

<Jun 10, 2025 5:22:07 PM KST> <INFO> <ehc_domain> <comp1> <The server 'comp1' is running now.>
Successfully started server comp1 ...


Exiting WebLogic Scripting Tool.

 

WLST를 통해 nodeManager 프로세스에 Plain으로 접속,

Connecting to Node Manager ...
Successfully Connected to Node Manager.

 

nodeManager와 Admin Port 간에 SSL로 통신하지 않고 있다는 경고성 로그

WARNING: SSL is not enabled for the admin port of comp1. Thus, the connection between NodeManager and the admin port of comp1 is not secure. SSL must be enabled for this connection.

'WEB-SERVER > OHS & JBCS & Apache' 카테고리의 다른 글

[JBCS-Apache] httpd 커맨드 사용 시, No such file or directory  (0) 2025.11.18
[JBCS-apache] 설치 for Linux & 80/443 포트 사용하기  (0) 2025.11.18
[Apache 2.4] mod_proxy hot-standby  (0) 2025.08.06
[Apache 2.4] AH02429: Response header name '~~:' contains invalid characters, aborting request  (2) 2025.08.06
[OHS] 컴포넌트 추가  (0) 2025.05.07

'WEB-SERVER/OHS & JBCS & Apache' Related Articles

티스토리툴바